Unix Server Security and Auditing

1
Unix Server Security and Auditing
by linux-doks.de
2
Unix Server Security and Auditing
Security Targets The key security priciples are

• Freedom from risk or danger, safety.
• Freedom from doubt, anxiety, or fear confidence.
• Something that gives or assures safety, as
• A group or department of private guards Call
  building security if a visitor acts suspicious.
• Measures adopted by a government to prevent
  espionage, sabotage, or attack.
• Measures adopted, as by a business or homeowner,
  to prevent a crime such as burglary or assault
  Security was lax at the firm's smaller plant.
• Measures adopted to prevent escape Security in
  the prison is very tight.
• Something deposited or given as assurance of the
  fulfillment of an obligation a pledge.
• One who undertakes to fulfill the obligation of
  another a surety.
• A document indicating ownership or creditorship
  a stock certificate or bond.

by linux-doks.de
3
Unix Server Security and Auditing
Unix Server Security and Auditing
Definition of Security Se-cu-ri-ty

• Installed software should not have any known
  high- or medium-risk vulnerabilities
• Applicable security patches should be applied to
  the software
• Configuration should not have any known high- or
  medium-risk vulnerabilities
• Minimise risk of as-yet unknown vulnerabilities,
  only necessary network services should be enabled
• New vulnerabilities are discovered over time
  therefore this standard must be sufficiently
  dynamic to cover future problems
• All items in this software standard should be
  verifiable
• Sometimes it is necessary to deviate from this
  standard. A list of dispensations is included,
  covering items which have been reviewed and
  granted a temporary risk acceptance. Any other
  deviations require an individual risk acceptance
  to be raised.

by linux-doks.de
4
Unix Server Security and Auditing
Security Checks Following possible security
problems are known

• Running unsecure inet / xinetd services like
  echo, chargen, telnet, rlogin
• Running not generally provided services like
  vold, cupsd, lpd
• Portmap including NFS shares (except autofs)?
• Executable and FS Protection (Limit SUID
  executables, not owned files, world writable
  directories except sticky bit)?
• Accounts (Password expiring (except batch user),
  not accessed accounts, no passwd)
• SSH (Disabled root login (except golden host),
  using SSH version2 only)?
• Network (IP forwarding, Ignoring Broadcast ICMP
  Echo requests, disabled source routing)?
• Central logging hosts (just implemented with
  Syslog-ng Server)?
• Up2date of all systems
• Existing core files
• Boot loader passwords (grub)?

by linux-doks.de
5
Unix Server Security and Auditing
Host based Security and Auditing Tools Host base
Security and Auditing Tools to be considered

• Client only system
• Tripwire (Data integrity checker)?
• Aide (Data integrity checker)?
• Logsurfer (Real-time protocol checker)?
• Logwatch (Protocol analysis tool)?
• Tiger (Security audit and intrusion detection
  system)?
• Snare (Process and kernel monitoring)?
• Server/Client system
• Samhain/Yule (Security audit and intrusion
  detection system)?

by linux-doks.de
6
Unix Server Security and Auditing
Security and Auditing Tools Requirements
Contemplable Tool TIGER
by linux-doks.de
7
Unix Server Security and Auditing
Overview Tiger

• Start on every client once per hand (security
  audit) or via cron in calculated time intervals
  (intrusion detection system)?
• Client only system
• Runs on several UNIX derivates (AIX, HPUX, IRIX,
  Linux, NeXT, SunOS, Tru64)?
• Check of diskless clients possible (via check of
  manager system)?
• About 40 different checks (user, files, services,
  network)?
• Output optional as text or html
• Build of own modules possible
• Separately call of Tripwire and/or Aide

by linux-doks.de